What We Should Learn From “Facebook Research”

What We Should Learn From “Facebook Research”

Once again, Facebook has broken the trust of its users—this time, through reportedly paying people to give up their privacy by installing an application that sucks up huge amounts of sensitive data, and explicitly sidestepping Apple's Enterprise Developer program rules. In doing so, the company has repeated several of the privacy-abusive practices that it’s been chastised for before. This underscores just how little the company has learned from a year of user complaints, privacy group criticisms, and Congressional hearings, and it emphasizes the need for legislators to pass new laws to protect the public.

Facebook wasn’t the only company sidestepping Apple’s Enterprise Developer TOS to enable a highly invasive “market research” program. As TechCrunch reported, Google has been running a similar program for some time, using many of the same techniques as Facebook in addition to its own unique surveillance methods.

You shouldneverlet an organization like Facebook pwn your devices so it can watch you use TikTok.

Root of All Evil

After Apple kicked Onavo out of the Apple Store, Facebook resorted to extraordinary measures to continue market research on iOS users. Specifically, it paid users to install an app distributed through Apple’s Enterprise Developer program, which required them to add a “trusted” root certificate from Facebook to their devices.

VPN operators shouldn’t spy on their customers, period. But when they do, their ability to do so is limited by encryption, especially through TLS. Encryption prevents ISPs and VPNs like Onavo from seeing the contents of the traffic flowing to and from your device. For example, as you browse www.eff.org, all it sees is a garbled stream of nonsense flowing between you and EFF’s servers. But a root certificate changes that.

That power can be invaluable if you’re a security or privacy researcher, an app developer, or just a curious user. Using a custom root certificate, you can set up your device to monitor the traffic between your device and the Internet, including encrypted traffic to third parties. This allows researchers to analyze the privacy properties of mobile applications, including what data they actually collect and send. In the past, security researchers have used root certificates to help expose apps that peddle usage data to advertisers (like Facebook and Google) or exploit sensitive healthinformation.

However, when you install a corporation’s root certificate for a “research” app, you’re also handing it the keys to your most private information. If Facebook can convince you to install its certificate on your device, it can execute a “machine-in-the-middle” attack to insert itself between you and whomever you’re trying to talk to. It sidesteps the security of websites that support HTTPS and most other TLS-encrypted communications. When you try to establish an encrypted connection between your device and, say, your bank, Facebook can silently intercept your traffic before it leaves your phone, collecting your private information before sending it on its way. Meanwhile, both your device and your bank’s server will think everything is A-OK.

This isn’t just a theoretical concern. Applause, one of the partners Facebook worked with to distribute its app, disclosed this on its (now defunct) signup page:

> You are also letting our client collect information about your internet browsing activity (including the websites you visit and data that is exchanged between your device and those websites) and your use of other online services. There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions.

We cannot overstate the power this gives the company. And though we’ve tried our best in this post, it’s hard to explain this power at all. So it’s disingenuous for Facebook to claim that its test subjects gave anything like informed consent—especially considering the company specifically advertised to kids. As Will Strafach, the researcher who analyzed Facebook’s app at the request of TechCrunch, put it:

This hands Facebook continuous access to the most sensitive data about you, and most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this.

Apple to the Rescue?

Last year, Apple removed Onavo from the Apple Store. And this week, Apple revoked Facebook’s Enterprise Developer Credentials, which blocked the research app as well as many of Facebook’s internal corporate tools. Which brings us to a separate problem:

On one hand, Facebook’s use of VPN data to feed its dystopian corporate panopticon is a surreptitious abuse of users’ trust. On the other hand, the fact that Apple has the power to effectively ban Onavo for all of its close-to-a-billion iOS users is also wrong. Apple’s app store has blocked apps on a variety of arbitrary, anticompetitive, or censorious grounds in the past, and the company makes it exceedingly difficult for users to install software from outside its crystal prison.

Furthermore, while Google and Facebook clearly broke Apple’s “Enterprise Developer Program” Terms of Service and abused root certificate power to perform market research, that doesn’t mean custom root certificates or “side-loaded” apps are the problem. You should always be able to do what you want with the devices you buy: you own it, you pwn it. But you should never let an organization like Facebook pwn your devices so it can watch you use TikTok.

The right solution to bad behavior by a tech giant like Facebook or Google is not unilateral action by another tech giant like Apple. We cannot stake our rights to privacy and security on corporate turf wars. Instead, we need to fight for reasonable limits on the ways companies can use our data, and demand that they act in our best interests as a matter of course. Facebook obviously needs a massive privacy and transparency overhaul—but it’s far from the only company violating user privacy. It’s time for legislatures at every level to establish carefully-tailored rules to protect user privacy, and to stop letting the companies with the worst privacy track records dictate users’ legal rights.

When social media platforms enforce their content moderation rules unfairly, it affects everyone’s ability to speak out online. Unfair and inconsistent online censorship magnifies existing power imbalances, giving people who already have the least power in society fewer places where they are allowed a voice online.President Donald Trump...

It has taken more than a year, but the California Attorney General’s Office has implemented steps to protect immigrants from U.S. Immigration and Customs Enforcement (ICE) and other agencies that abuse the state’s public safety network, the California Law Enforcement Telecommunications System (CLETS). Following calls for reform from EFF and...

Over the next few years, the Department of Homeland Security (DHS) plans to implement an enormous biometric collection program which will endanger the rights of citizens and foreigners alike. The agency intends to collect at least seven types of biometric identifiers, including face and voice data, DNA, scars, and tattoos...

BOSTON — The Electronic Frontier Foundation (EFF) and the ACLU today asked a federal court to rule without trial that the Department of Homeland Security violates the First and Fourth Amendments by searching travelers’ smartphones and laptops at airports and other U.S. ports of entry without a warrant.The request...

Update: the time for this hearing has changed. It now begins at 1:30pm. San Francisco – At 1:30 pm on Wednesday, May 1, the Electronic Frontier Foundation (EFF) and the Law Office of Michael T. Risher will argue against the government’s motion to dismiss a lawsuit challenging law enforcement retention...